Security Advisory Critical: php security update

Advisory: RHSA-2013:1826-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-12-12
Last updated on: 2013-12-12
Affected Products: Red Hat Enterprise Linux ELS (v. 3)
Red Hat Enterprise Linux ELS (v. 4)
CVEs (cve.mitre.org): CVE-2013-6420

Details

Updated php packages that fix one security issue are now available for Red
Hat Enterprise Linux 3 and 4 Extended Life Cycle Support.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

A memory corruption flaw was found in the way the openssl_x509_parse()
function of the PHP openssl extension parsed X.509 certificates. A remote
attacker could use this flaw to provide a malicious self-signed certificate
or a certificate signed by a trusted authority to a PHP application using
the aforementioned function, causing the application to crash or, possibly,
allow the attacker to execute arbitrary code with the privileges of the
user running the PHP interpreter. (CVE-2013-6420)

Red Hat would like to thank the PHP project for reporting this issue.
Upstream acknowledges Stefan Esser as the original reporter of this issue.

All php users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
updated packages, the httpd daemon must be restarted for the update to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux ELS (v. 3)

SRPMS:
php-4.3.2-57.ent.src.rpm     MD5: 17e819b9c20a12939563ba9b89ec7eed
SHA-256: be5d77fd44a67be453961040623ff7e70b97df6c91189a1b4536b5568a6477d0
 
IA-32:
php-4.3.2-57.ent.i386.rpm     MD5: f1d15e48d248c3c17fa1d649b8ac0dfb
SHA-256: c4ad9c5446735ee11ed7f70640e17803986cdc08b147452a7e2f349be17e27db
php-devel-4.3.2-57.ent.i386.rpm     MD5: 9117ae81882fb609586d6a3d992306bd
SHA-256: e6e5a1d7511da9d7c272f916dfa0d3b2f36075305d6704712c738e75c8d40c35
php-imap-4.3.2-57.ent.i386.rpm     MD5: e82f938097133bb1e2714b7eae38651b
SHA-256: 5464b3a8abc43143d0ffc05f840edb2aa99b4215aa59dcf8042e7447b2d46bea
php-ldap-4.3.2-57.ent.i386.rpm     MD5: e081b7e771f4205e49404e5d18f22d11
SHA-256: a0cabcfe86279ed35b0ed310bf5b03c0feb99bbf21e8ddc3ed97d78a4eacb4a4
php-mysql-4.3.2-57.ent.i386.rpm     MD5: 231485f11eecadde74c0dbdc6f33bfa3
SHA-256: 2db0a954c4bde80de079dce79cf997a5e5798d176a2c2e398e5c2be797d84584
php-odbc-4.3.2-57.ent.i386.rpm     MD5: c61576b4facd49823beb6af746f85ebb
SHA-256: 1bcd20569abb5fc28c2334913acb987b8f3f5d15f76bd2f622fda0bd1356476f
php-pgsql-4.3.2-57.ent.i386.rpm     MD5: 1c80dde754bf4e760a4e4f1d01a24b1d
SHA-256: 271562d0d958b56bab34feac054337810991ec60fa3c62aa29bfe3f5b7057ed1
 
Red Hat Enterprise Linux ELS (v. 4)

SRPMS:
php-4.3.9-3.37.el4.1.src.rpm
File outdated by:  RHSA-2014:1825
    MD5: 4bf14feac78e43ced3d4e3808282456f
SHA-256: 7680fc2b8f4181184d4f4346903cf1f6b6a7352a975358b1e4fb3d1536c92b9b
 
IA-32:
php-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 91c5a1a2f35c86320b5d11b979e96d59
SHA-256: 40e49f07ab8099882ba50ac07c645e357e2bc2d0f3715eb4b08635550f1d68d9
php-devel-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: be3d91532bba6f37051bdebe4d177c6b
SHA-256: 563b1bfbf33083cc4f15cfdbd564304d40e881423bfac5cb614630fddd6a088e
php-domxml-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: b382dabc579b52aed8b986269a85bcae
SHA-256: d2f3d000cd2925fd1093a1b146a687c69b79df392155021b6634de9bb3dac419
php-gd-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 1aa34e252ec127105d788ffe56b444e7
SHA-256: 708baeead8df5809857c4d61c639d1e6066ae89c408d5d6edbb0570802e10c38
php-imap-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: e39ff72fd0df4e41385235c668e4d460
SHA-256: a51e39dba7df259242c8e7fcdb49908c545cc5bc4ff3bf3bfdbe96c18cf98b0a
php-ldap-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 57d3b9498520c6e111bffd257e3f1cc7
SHA-256: 64d24782ed38b7c7a6f8cc4051ee3053fc148b7634a01a2487c1a8a91e9d87c9
php-mbstring-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 0e940148323dc7db5cf9334f2b282f49
SHA-256: 0283957d9887a734f2811615ada194e4c9ce33cef5a78703c4d9c23a3ac9fa00
php-mysql-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 2d1301e0a1f301eb6c15d1d969543015
SHA-256: caffc3980c36df7e64e58456c036f3a3cb438007554576dd8362614cc19a548c
php-ncurses-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 95ece1ad561d68adcc5f20a43d7e12eb
SHA-256: 3139ea8e3060e80a7c3326af8e7dca74922876ab7981b3d24883c2a4aa9838e1
php-odbc-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 8c11ac94713958620f3d4c3708d6aa86
SHA-256: bba56cb52a2f96226fc4fcf57867eb9146066937df1e35f29372010d8237065d
php-pear-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 8778db45b1c246300b2e6ec76c354949
SHA-256: dc92f35313f1a7aefd2cef3be3628e429501fab5195800e1c933ce5150f304bc
php-pgsql-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: f2e4ca3ab4cd71f41112a6de9de61947
SHA-256: 8b6baac75b3bda9b6653c4b1853081d33238e1baff810d7ea3e6bc922bfcd00c
php-snmp-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: a0e86d8c3d358fe97fa46430f8efbf26
SHA-256: ee4d327313108ad4b26c69c78e308adfd92778cfb37bea148e52847cb1b597b9
php-xmlrpc-4.3.9-3.37.el4.1.i386.rpm
File outdated by:  RHSA-2014:1825
    MD5: 826c205046f4dcb849c4eefdb32dbd09
SHA-256: bcd41e29c3e824e3d8f82cf8efaffc4e89a45487f67e7d19fee72514387732e9
 
IA-64:
php-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 3e7c9abb0b4acbe832ac1416b3e6398e
SHA-256: 74bacf8eddfe43025f5bde8c507b3a00fd6377a8c3e965bc8618a301fbccfe7e
php-devel-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 0123074913c376cbb70d9796faf6ad56
SHA-256: 029a5e9afcedd7427834dcb123fe60ac61cce1ec71b7bb70bd1becc1dec943ad
php-domxml-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 6e4fd02d828d167c740d25bddb59ee39
SHA-256: 39c1080829ae5b73644c54922f4a381b948e7735240c7ff31b89826b4c11427f
php-gd-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: fa5202211245d2190c9d972b156a9570
SHA-256: 2fb12965a1273e5ceca7990c09cacec0a2125f5abd92a76a87bbc3687f92987f
php-imap-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: b4eef56b649d57cb2a97269595b74cc3
SHA-256: 272b7c56dd10b4c8f99074056a81184fca3a0e7a66115f20124ab997e7b112d7
php-ldap-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 5c622c6b56ee93e793e2b4573c98971a
SHA-256: 1738717f7727ae8dcec211d98842bbc141724111542d7e159b6d485db23de7e5
php-mbstring-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 8d623833bbcd906e4f20138fa1635b4c
SHA-256: 30468e1611464515fb8d5da191484351c5a219975a23b46128b3b507924e272e
php-mysql-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: fa4cb2fe6b027e57f89e96471b59a1d7
SHA-256: 5fa594f6b4312844a0ee8859245bd2bb5a2f748b6125c295ccbee55458ebfd46
php-ncurses-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 6df0e92aceb4caf6a86a57a4696c359a
SHA-256: 88b90027623f3d8fdd30ba0df0f585ade07ef5ad7e150272f80d2d4addec95da
php-odbc-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: a14023fda1f4729def5a895c0cf1e64a
SHA-256: b447f2be37bf93fea975327f8b3c6a61ac800453c09cd994a5cbcfefa002110c
php-pear-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: c1e414dcdfd2642cd9363d88734da942
SHA-256: b173141a4b1ffbce7a76cb0084a4171493d6c55e423bd7c8babbfad25ae9dca8
php-pgsql-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: c6d6963d424adb84843547f9b5a98807
SHA-256: 6d5057723aaee93a3f9db787ecb2cb2f71175090cd041aa36e81c5c48c2e0687
php-snmp-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: b3db4db79d0e8c4a999677ed9badda04
SHA-256: 560a629e58a8deabb5eee8eaa292a6c663c90d1a0a774a7b886ed1bc8724c690
php-xmlrpc-4.3.9-3.37.el4.1.ia64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 21f241453cb5ddff743c631a887d113b
SHA-256: f3137b01c62e2694ecb7576c1eabb37ea0c96068f4e03a175787e3f3130e3b65
 
x86_64:
php-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: ee19d4385edafad40ed09e22695430af
SHA-256: 430267d5b8bcb6b61236ca63d9225929f78463e522e9c256865f55c14e159b88
php-devel-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 24dff41a1841df13775db6eeb365b289
SHA-256: 1bfe6ab96ed9e73cf7f4c651edde2358a53dedf0c67b941dd0c3246fb8cc6820
php-domxml-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 28f2b6683ade567d44a2048a9ed424a8
SHA-256: 6ee7316ed34c1b65816846bdb67c7f9162f0047eb0ce423c73168bddf2df0655
php-gd-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 418e47055af1e6ad8864b7ec62e63bb5
SHA-256: fde04806a8d66632017fbe0adc9f5f8b6f89327a1d4f7dbeb4591d85a0d4c6ee
php-imap-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: c4a98c0a2fddcd9be5c1100db18211c2
SHA-256: b8bf7dc8f11583c96080e243818a0ffd98a4857a32eb4a3c752c72747487ee87
php-ldap-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 6dc79bf84d7e5308bf2d50893582dec1
SHA-256: 1fbcd4fcd555619e7528dda199228b446e069bda6045073ae8cc595b11d1e879
php-mbstring-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 7114c2dff16db5714273c51fb590de16
SHA-256: 000cfc9a40f7c5ad3e2af991d3909c0b24ecad9efc05d8d5a8b6c016e9f676a7
php-mysql-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 13bf2dd439365c153e2da3f2ae2ccf46
SHA-256: ce667f955fb01551fbf3f267c390629a593892dee372762abb5409636137ce3d
php-ncurses-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 9d3ca5493e38c714a110359919ba2448
SHA-256: 4e90554f83e3c3e0883857c9b44317c9e193ce9a800de8157c27f9322ccbc7db
php-odbc-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: e0c5cb5e347817901ae6bcdc6138f1a2
SHA-256: a759fa43e3bfad4e3d620a804bb92b7494384c5235a54b2097b8f90e4db81790
php-pear-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 41577b263dfff2e2d6ccc82c665521b8
SHA-256: 18019a4d207367f08560facc960820fa9e55cfc00c47ad5d1b094b6deeb80e76
php-pgsql-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 87df968a4012bb10a2b758ba86f4c3fd
SHA-256: 0e5b03fa400485b49a9c04dac16783ededced5900f43c14d7a4964834e7c193b
php-snmp-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: f0bae6ae750a8d92be41107789c66cd3
SHA-256: f3bd8106c2a0771984cff73f226c0e73f41c6f7f0d0535833de2e49c2f690e11
php-xmlrpc-4.3.9-3.37.el4.1.x86_64.rpm
File outdated by:  RHSA-2014:1825
    MD5: 0b2ef218ba9802af6993bbef3db72163
SHA-256: 6abd144c4487e0f3a2d18cdab906de06774bd1c3658d69630dbadffec2e8f5b1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1036830 - CVE-2013-6420 php: memory corruption in openssl_x509_parse()


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/